[Your School Name] operates the GymHut fitness tracking platform ("the Platform") for use by its students and staff. [Your School Name] is the Data Controller for all personal data processed through the Platform. GymHut is provided as a software service to [Your School Name] by TechHut IO ("the Processor"), who processes data on behalf of [Your School Name] under a data processing agreement.

We collect and process the following categories of personal data:

Category	Data collected	Purpose
Account	Full name, email address, password (hashed)	Authentication and account management
Profile	Height, profile picture (optional)	BMI calculation and personalisation
Health & fitness	Body weight, body measurements, body fat %, exercise logs, food logs, calorie data	Performance tracking and coaching
Activity	Login timestamps, last active date	Safeguarding and platform management
Communications	Notice board posts read/unread status	Ensuring students receive important notices

Health and fitness data (weight, measurements, body fat, exercise logs) constitutes special category data under UK GDPR Article 9. We process this data on the basis of explicit consent provided at registration, and in the legitimate interests of supporting student athletic development under the supervision of qualified staff.

We rely on the following lawful bases under UK GDPR Article 6:

• Consent (Article 6(1)(a)) — for special category health and fitness data, provided explicitly at registration
• Legitimate interests (Article 6(1)(f)) — for operational data such as login timestamps and activity monitoring, in the legitimate interest of safeguarding students and maintaining platform security
• Contract (Article 6(1)(b)) — where processing is necessary to provide the Platform service to students and staff

• To provide you with access to the GymHut platform and its features
• To allow teachers and school staff to monitor student training activity, wellbeing and progress
• To calculate and display fitness metrics including BMI and performance trends
• To send transactional emails — account confirmation, password reset, welcome messages
• To maintain security through login monitoring and account lockout protections
• To comply with our obligations under education and safeguarding law

We do not use your data for advertising, sell your data to third parties, or use it for any automated decision-making that produces legal or similarly significant effects.

Recipient	Reason	Safeguards
TechHut IO	Software provider — hosts and maintains the Platform	Data Processing Agreement in place; UK-based hosting
Microsoft Azure	Cloud infrastructure hosting	UK data residency; standard contractual clauses
SendGrid / Email provider	Transactional email delivery	UK GDPR compliant; data processing agreement in place

No data is transferred outside the United Kingdom.

Data type	Retention period
Student account and all associated data	Retained while the student is enrolled. Deleted within 30 days of account closure or request.
Teacher account data	Retained while employed at [Your School Name]. Deleted within 30 days of leaving.
Exercise, food and body metric logs	Retained for the duration of the account. Deleted with the account.
Login and activity timestamps	90 days rolling retention for security purposes.

You have the following rights regarding your personal data:

• Right of access — request a copy of all data we hold about you
• Right to rectification — request correction of inaccurate data
• Right to erasure — request deletion of your data ("right to be forgotten")
• Right to restriction — request we limit how we process your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact our Data Protection Officer at [dpo@yourschool.ac.uk]. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

We implement appropriate technical and organisational measures to protect your personal data including: bcrypt password hashing, HTTPS encryption in transit, role-based access controls, account lockout after failed login attempts, two-factor authentication (optional), and regular security reviews. Access to student data is restricted to staff at [Your School Name] with a legitimate need.

GymHut is used by students who may be under 18. Where users are under 18, [Your School Name] acts as the responsible party for obtaining appropriate consents in accordance with the Children and Families Act 2014 and relevant ICO guidance on children's data. Students under 13 require parental consent before registering.

We may update this Privacy Policy from time to time. Material changes will be communicated via a notice on the GymHut platform. Continued use of the Platform after changes constitutes acceptance of the updated policy.

For any data protection queries, contact: [dpo@yourschool.ac.uk]

To contact the ICO: ico.org.uk · 0303 123 1113